Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id D3300200D5D for ; Wed, 6 Dec 2017 00:45:16 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id D1AD9160C1C; Tue, 5 Dec 2017 23:45:16 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 23E54160C1B for ; Wed, 6 Dec 2017 00:45:15 +0100 (CET) Received: (qmail 16277 invoked by uid 500); 5 Dec 2017 23:45:15 -0000 Mailing-List: contact dev-help@ranger.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ranger.apache.org Delivered-To: mailing list dev@ranger.apache.org Received: (qmail 16265 invoked by uid 99); 5 Dec 2017 23:45:15 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Dec 2017 23:45:15 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 0A9CA18070D; Tue, 5 Dec 2017 23:45:14 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3 X-Spam-Level: *** X-Spam-Status: No, score=3 tagged_above=-999 required=6.31 tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=2, KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id Gvf7qO0evQ0j; Tue, 5 Dec 2017 23:45:12 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 55ADF5F343; Tue, 5 Dec 2017 23:45:12 +0000 (UTC) Received: from reviews.apache.org (unknown [10.41.0.12]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id A3CF2E0044; Tue, 5 Dec 2017 23:45:11 +0000 (UTC) Received: from reviews-vm2.apache.org (localhost [IPv6:::1]) by reviews.apache.org (ASF Mail Server at reviews-vm2.apache.org) with ESMTP id 2D430C4031F; Tue, 5 Dec 2017 23:45:11 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============6972334695538928799==" MIME-Version: 1.0 Subject: Re: Review Request 64228: Traverse check in RangerHdfsAuthorizer works incorrectly From: Abhay Kulkarni To: Velmurugan Periasamy , Madhan Neethiraj , Colm O hEigeartaigh , Ramesh Mani , Zsombor Gegesy Cc: Abhay Kulkarni , ranger Date: Tue, 05 Dec 2017 23:45:11 -0000 Message-ID: <20171205234511.19665.72890@reviews-vm2.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: Abhay Kulkarni X-ReviewGroup: ranger X-Auto-Response-Suppress: DR, RN, OOF, AutoReply X-ReviewRequest-URL: https://reviews.apache.org/r/64228/ X-Sender: Abhay Kulkarni References: <20171202012502.34997.48999@reviews-vm2.apache.org> In-Reply-To: <20171202012502.34997.48999@reviews-vm2.apache.org> X-ReviewBoard-Diff-For: hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies-tag.json X-ReviewBoard-Diff-For: hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java X-ReviewBoard-Diff-For: hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json Reply-To: Abhay Kulkarni X-ReviewRequest-Repository: ranger archived-at: Tue, 05 Dec 2017 23:45:17 -0000 --===============6972334695538928799== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/64228/ ----------------------------------------------------------- (Updated Dec. 5, 2017, 11:45 p.m.) Review request for ranger, Colm O hEigeartaigh, Zsombor Gegesy, Madhan Neethiraj, Ramesh Mani, and Velmurugan Periasamy. Changes ------- Addressed review comments Bugs: RANGER-1707 https://issues.apache.org/jira/browse/RANGER-1707 Repository: ranger Description ------- Traversal check in RangerHdfsAuthorizer works incorrectly, when it is asked for access to /a/b/c.txt, it only checks that if there are a policy which grants EXEC to /a/b, but if it there aren't any, then it doesn't check, if there is a policy which grants READ, WRITE or EXEC to /a/b/c.txt explicitly, which would mean, that the path is accessible to the user. This hasn't noticed by the current unit tests, because HDFS before 2.8.0 doesn't called the traversal check before reading or writing a file, however it will cause problem with 2.8.0, where FSDirectory.resolvePath will perform a mandatory traversal check. This patch is based on the patch submitted for review (https://reviews.apache.org/r/61062/) with following modifications. 1. If traversal check (check for EXECUTE on the parent/ancestor if resource is a file) does not fail with explicit DENY by Ranger Authorizer, then it is presumed to have succeeded without any further checks and no audit record created. If it fails with DENY, then the authorization fails and an audit record is created. 2. Test policies in hdfs-policies.json and test cases (RangerHdfsAuthorizerTest) are modified to test for explicit DENY case. Diffs (updated) ----- hdfs-agent/pom.xml 87ba777 hdfs-agent/src/main/java/org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.java af4d9b5 hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerAdminClientImpl.java 75d73aa hdfs-agent/src/test/java/org/apache/ranger/services/hdfs/RangerHdfsAuthorizerTest.java PRE-CREATION hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies-tag.json PRE-CREATION hdfs-agent/src/test/resources/hdfs_version_3.0/hdfs-policies.json PRE-CREATION Diff: https://reviews.apache.org/r/64228/diff/3/ Changes: https://reviews.apache.org/r/64228/diff/2-3/ Testing ------- Unit tested with HDFS versions 2.7.1 and 3.0.0. Thanks, Abhay Kulkarni --===============6972334695538928799==--